The QuickTime vulnerability that led to a far-flung worm irruption on MySpace.com last calendar month could be tap again , according to security researcherAviv Raff , who has put out software that illustrates his point .
Apple issue a temporary patch for the job last month , but on Wednesday Raffpublished trial impression - of - conception codeshowing how this bug could still be exploited in combination with other malicious software to run unauthorised software program on a patched estimator .
Apple created its patch after a insect spread through the MySpace community in other December , slip MySpace log - in certificate and promote adware World Wide Web site . But rather than addressing the inherent problem , Apple ’s fix appears to simply block the MySpace insect code , Raff tell . “ Apple ’s patch has no effect on this vulnerability , ” he said via instant message .
user were infect by the MySpace worm when they played maliciously encoded .mov multimedia system files .
The tone-beginning show by Raff is called a cross - zone scripting flak . It circumvents the “ zone ” security mannikin that is used by Internet Explorer to define the type of things internet - based software can do on a microcomputer . “ It potentially allows an assailant to execute arbitrary code on the exploiter ’s machine , ” Raff said of the exposure .
Raff ’s proof - of - construct code shows how this cross - zone scripting attack could be used to run code on a Windows 2000 arrangement running the cyberspace Explorer 6 web internet browser . It was put out as part of a month - long effort to describe care to security measure issues in Apple ’s product , called theMonth of Apple Bugs .
Running malware on a dupe ’s microcomputer is a two - step process , however , and assailant would also want to exploit a 2nd vulnerability so as to trick the browser app into be given their code .
Raff ’s code exploits a acknowledge bug in Microsoft ’s Management Console software package , which was patched last August . But the attempt could also be paired with code that takes advantage of an unpatched Windows vulnerability , make it a far more serious exploit , said Alyssa Myers , a virus inquiry engineer with McAfee . “ It seems probable that this sort of thing could be used for a MySpace worm , ” she said . “ Whether that actually ends up happening is anybody ’s surmise . ”
When Apple created its QuickTime fix last month , it did not fork out the software directly to QuickTime user but alternatively contain the unusual step of having MySpace link to the computer code .
Apple may have decide not to dispense this spot directly because it did not address the inherent problem , said Tim Erlin , jeopardy judgment engineering manager with nCircle internet Security . “ They did n’t piece the whole affair , ” he say . “ They reacted to the emergence of a dirt ball on MySpace . ”
It will be difficult for Apple to get the underlying problem , researcher say , because the HREF Track QuickTime feature that is exploit in these tone-beginning is used by a number of lawful software . These would be broken if Apple simply invalid the feature article , Erlin say . “ They ca n’t simply overstretch it out , ” he said .
Apple is work on a “ broader solution ” to the QuickTime job , a caller spokesman said Thursday . He could not immediately point out on Raff ’s proof - of - concept code .
